🔧 sync

k8s/auth-server/base/auth-server-configmaps.yaml

@@ -37,6 +37,37 @@ data:
           }
         ]
       },
+      {
+        "id": "well-known",
+        "version": "v0.40.7",
+        "upstream": {
+          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200/.well-known/alive"
+        },
+        "match": {
+          "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455/.well-known/alive",
+          "methods": [
+            "GET"
+          ]
+        },
+        "authenticators": [
+          {
+            "handler": "anonymous"
+          }
+        ],
+        "authorizer": {
+          "handler": "allow"
+        },
+        "mutators": [
+          {
+            "handler": "header",
+            "config": {
+              "headers": {
+                "X-User": "{{ print .Subject }}"
+              }
+            }
+          }
+        ]
+      },
       {
         "id": "deny-anonymous",
         "version": "v0.40.7",

k8s/eventrunner-api/base/ingress.yaml

@@ -5,12 +5,16 @@ metadata:
   namespace: eventrunner
   annotations:
     nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-api.default.svc.cluster.local:4456/decisions"
+    nginx.ingress.kubernetes.io/auth-response-headers: "X-User,X-Tenant-ID,X-Request-Id"
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header Authorization $http_authorization;
     nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header X-Original-URI $request_uri;
       proxy_set_header X-Original-Method $request_method;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Forwarded-Host $http_host;
       proxy_set_header X-Forwarded-Uri $request_uri;
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
 spec:
   ingressClassName: nginx
   rules:

k8s/nginx/configmap.yaml

@@ -5,15 +5,40 @@ metadata:
   namespace: ingress-nginx
 data:
   proxy-buffer-size: "16k"
+  proxy-headers-hash-max-size: "1024"
+  proxy-headers-hash-bucket-size: "128"
   server-snippet: |
     location = /auth {
       internal;
       proxy_pass http://oathkeeper-api.default.svc.cluster.local:4456/decisions;
+      proxy_method $request_method;
+      proxy_http_version 1.1;
+      proxy_connect_timeout 2s;
       proxy_pass_request_body off;
       proxy_set_header Content-Length "";
+    
+      # Headers for auth request
       proxy_set_header X-Original-URI $request_uri;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Original-Method $request_method;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Forwarded-Host $host:$server_port;
-    }
+      proxy_set_header X-Forwarded-Uri $request_uri;
+    
+      # Additional headers that Oathkeeper might need
+      proxy_set_header Host $host;
+      proxy_set_header Authorization $http_authorization;
+    }
+
+  # Move the auth request configuration to configuration-snippet instead
+  configuration-snippet: |
+    auth_request /auth;
+    auth_request_set $auth_status $upstream_status;
+    auth_request_set $auth_user $upstream_http_x_user;
+    auth_request_set $auth_tenant_id $upstream_http_x_tenant_id;
+    auth_request_set $auth_request_id $upstream_http_x_request_id;
+
+    # Forward auth response headers to the backend
+    proxy_set_header X-User $auth_user;
+    proxy_set_header X-Tenant-ID $auth_tenant_id;
+    proxy_set_header X-Request-Id $auth_request_id;

k8s/ory/oathkeeper/oathkeeper-values.yaml

@@ -44,6 +44,8 @@ oathkeeper:
     authorizers:
       allow:
         enabled: true
+      deny:
+        enabled: true
 
     mutators:
       header: